12:01 a.m.
I have an Infineon TPM2 (and TPM 1.2) module for the raspi
https://www.infineon.com/cms/en/product/evaluation-boards/iridium9670-tpm...
It is available both, as tpm 2.0 and as tpm 1.2.
It has the SLB 9670VQ2.0 or SLB 9670VQ1.2 chips with SPI supported by
the tpm_tis_spi kernel module.
These modules have/had the ROCA vulnerability
https://en.wikipedia.org/wiki/ROCA_vulnerability
I'd like to check if mine are affected. Is there
- a way to find out the firmware version of the module (preferrably
using tpm2_tools)
- a possibility to upgrade the firmware (provided I can extract one from
the various upgrades for windows) using tpm2_tools? Or any other way?
Thanks
Ralf Schlatterbeck
--
Dr. Ralf Schlatterbeck Tel: +43/2243/26465-16
Open Source Consulting www: http://www.runtux.com
Reichergasse 131, A-3411 Weidling email: office(a)runtux.com
2:03 a.m.
-----Original Message-----
From: tpm2 [mailto:tpm2-bounces@lists.01.org] On Behalf Of Ralf Schlatterbeck
Sent: Thursday, April 11, 2019 9:02 AM
To: tpm2(a)lists.01.org
Subject: [tpm2] ROCA and firmware version
I have an Infineon TPM2 (and TPM 1.2) module for the raspi
https://www.infineon.com/cms/en/product/evaluation-boards/iridium9670-
tpm2.0-linux/
It is available both, as tpm 2.0 and as tpm 1.2.
It has the SLB 9670VQ2.0 or SLB 9670VQ1.2 chips with SPI supported by the
tpm_tis_spi kernel module.
These modules have/had the ROCA vulnerability
https://en.wikipedia.org/wiki/ROCA_vulnerability
I'd like to check if mine are affected. Is there
- a way to find out the firmware version of the module (preferrably
using tpm2_tools)
tools/tpm2_getcap -c properties-fixed
TPM2_PT_FAMILY_INDICATOR:
raw: 0x08322e3000
value: "2.0"
TPM2_PT_LEVEL:
value: 0
TPM2_PT_REVISION:
value: 1.42
TPM2_PT_DAY_OF_YEAR:
value: 0x23
TPM2_PT_YEAR:
value: 0x7E1
TPM2_PT_MANUFACTURER:
value 0x49424D20
TPM2_PT_VENDOR_STRING_1:
raw: 0x53572020
value: "SW"
TPM2_PT_VENDOR_STRING_2:
raw: 0x2054504D
value: "TPM"
TPM2_PT_VENDOR_STRING_3:
raw: 0x0
value: ""
TPM2_PT_VENDOR_STRING_4:
raw: 0x0
value: ""
TPM2_PT_VENDOR_TPM_TYPE:
value: 0x1
TPM2_PT_FIRMWARE_VERSION_1:
value: 0x20160511
TPM2_PT_FIRMWARE_VERSION_2:
value: 0x162800
- a possibility to upgrade the firmware (provided I can extract one
from
the various upgrades for windows) using tpm2_tools? Or any other way?
I have no idea on this part. I don't think the spec covers this and upgrade is
Manufacture dependent, but don't take my word for it.
Thanks
Ralf Schlatterbeck
--
Dr. Ralf Schlatterbeck Tel: +43/2243/26465-16
Open Source Consulting www: http://www.runtux.com
Reichergasse 131, A-3411 Weidling email: office(a)runtux.com
_______________________________________________
tpm2 mailing list
tpm2(a)lists.01.org
https://lists.01.org/mailman/listinfo/tpm2
3:43 p.m.
On Thu, Apr 11, 2019 at 06:03:44PM +0000, Roberts, William C wrote:
> From: tpm2 On Behalf Of Ralf Schlatterbeck
>
> It has the SLB 9670VQ2.0 or SLB 9670VQ1.2 chips with SPI supported by the
> tpm_tis_spi kernel module.
>
> These modules have/had the ROCA vulnerability
> https://en.wikipedia.org/wiki/ROCA_vulnerability
>
> I'd like to check if mine are affected. Is there
> - a way to find out the firmware version of the module (preferrably
> using tpm2_tools)
tools/tpm2_getcap -c properties-fixed
Cool, thanks. I had tried exactly this command with the debian buster
version of tpm2-tools which didn't show that info. Then I had to upgrade
because debian doesn't ship the Openssl engine. And didn't retry. So
since there are so many tpm2_ commands I wasn't sure :-)
My module has a firmware from 2016 and is vulnerable.
> - a possibility to upgrade the firmware (provided I can extract
one from
> the various upgrades for windows) using tpm2_tools? Or any other way?
I have no idea on this part. I don't think the spec covers this and upgrade is
Manufacture dependent, but don't take my word for it.
Yes, I thinks this one will be difficult. I check if I can get some info
from Infineon.
Ralf
--
Dr. Ralf Schlatterbeck Tel: +43/2243/26465-16
Open Source Consulting www: http://www.runtux.com
Reichergasse 131, A-3411 Weidling email: office(a)runtux.com
12:32 a.m.
-----Original Message-----
From: tpm2 [mailto:tpm2-bounces@lists.01.org] On Behalf Of Ralf Schlatterbeck
Sent: Friday, April 12, 2019 12:43 AM
To: tpm2(a)lists.01.org
Subject: Re: [tpm2] ROCA and firmware version
On Thu, Apr 11, 2019 at 06:03:44PM +0000, Roberts, William C wrote:
> > From: tpm2 On Behalf Of Ralf Schlatterbeck
> >
> > It has the SLB 9670VQ2.0 or SLB 9670VQ1.2 chips with SPI supported
> > by the tpm_tis_spi kernel module.
> >
> > These modules have/had the ROCA vulnerability
> > https://en.wikipedia.org/wiki/ROCA_vulnerability
> >
> > I'd like to check if mine are affected. Is there
> > - a way to find out the firmware version of the module (preferrably
> > using tpm2_tools)
>
> tools/tpm2_getcap -c properties-fixed
Cool, thanks. I had tried exactly this command with the debian buster version of
tpm2-tools which didn't show that info. Then I had to upgrade because debian
doesn't ship the Openssl engine. And didn't retry. So since there are so many
tpm2_ commands I wasn't sure :-)
Debian is very out of date, and we have an open issue in the tools to try and
Work with downstream to correct this.
https://github.com/tpm2-software/tpm2-tools/issues/1067
My module has a firmware from 2016 and is vulnerable.
> > - a possibility to upgrade the firmware (provided I can extract one from
> > the various upgrades for windows) using tpm2_tools? Or any other way?
>
> I have no idea on this part. I don't think the spec covers this and
> upgrade is Manufacture dependent, but don't take my word for it.
Yes, I thinks this one will be difficult. I check if I can get some info from Infineon.
Ralf
--
Dr. Ralf Schlatterbeck Tel: +43/2243/26465-16
Open Source Consulting www: http://www.runtux.com
Reichergasse 131, A-3411 Weidling email: office(a)runtux.com
_______________________________________________
tpm2 mailing list
tpm2(a)lists.01.org
https://lists.01.org/mailman/listinfo/tpm2
731
days inactive
732
days old
3 comments
2 participants
participants (2)
-
Ralf Schlatterbeck -
Roberts, William C